Amazon S3 Security: 19 Years Later - Why Cloud Data Security is Still Complex to Manage

Cloud Storage has been around for 19 years. Amazon Simple Storage Service was released in 2006. It's 2025 and cloud data security is still complex to manage.

In this talk, we'll cover the complexity of cloud storage, namely AWS's cloud storage service - Amazon S3. We'll talk about the security history of S3 including misconfigured public buckets, new attacks including S3 ransomware, and notable incidents involving S3 that have made the news. We then will cover history of S3 features including Block Public Access, encryption, levels of controls including at the Organization Level, Account Level, Bucket Level, and Object Level.

With all the features, we see 10+ configuration items such as 4 configuration items required to have public access via ACLs, and 3 different configuration items to have public access via bucket policies.

Due to all the configuration items and complexity of configuring S3, we developed and open-sourced YES3 Scanner: Yet Another S3 Security Scanner - which we'll share during this talk and give examples and takeaways of what to look for and how to effectively secure your data in S3.